Description

The HTTP/2 protocol implementation (mod_http2) had an incomplete handling of the LimitRequestFields directive. This allowed an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion.

References

• BID-94650
• CVE-2016-8740
• DISA_SEVERITY-Category I
• IAVM-2017-A-0010
• REDHAT-RHSA-2017:1161
• REDHAT-RHSA-2017:1413
• REDHAT-RHSA-2017:1414
• REDHAT-RHSA-2017:1415
• URL: http://httpd.apache.org/security/vulnerabilities_24.html

Solution

Related Vulnerabilities

• SUSE: CVE-2016-8740: SUSE Linux Security Advisory
• HP-UX: CVE-2016-8740: HPE HP-UX Web Server Suite running Apache, Multiple Vulnerabilities
• Gentoo Linux: CVE-2016-8740: Apache: Multiple vulnerabilities
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
• IBM HTTP Server: CVE-2016-8740: HTTP/2 CONTINUATION denial of service
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 7
• Alpine Linux: CVE-2016-8740: apache2 Multiple vulnerabilities
• OS X update for apache (CVE-2016-8740)
• FreeBSD: (Multiple Advisories) (CVE-2016-8740): Apache httpd -- several vulnerabilities
• Oracle Solaris 11: CVE-2016-8740: Vulnerability in Apache HTTP server
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 6